Re: [D] log4j version 2.17.1 [logging-log4j2]
GitHub user mmahant17 added a comment to the discussion: log4j version 2.17.1 Thank you for your prompt response. GitHub link: https://github.com/apache/logging-log4j2/discussions/3679#discussioncomment-13212196 This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
Re: [D] log4j version 2.17.1 [logging-log4j2]
GitHub user ppkarwasz added a comment to the discussion: log4j version 2.17.1 > Could you please confirm if Log4j version 2.17.1 is supported? Whether we "support" Log4j version `2.17.0` depends on how you define "support," so let’s break it down: - We **no longer** maintain the `2.17.x` minor version. Only the latest release within the `2.x` series receives updates — including security fixes. If a vulnerability is discovered, you'll need to upgrade to the latest `2.x` version or patch `2.17.x` yourself. - We do **not** accept bug reports for `2.17.x`. All issues must be reproducible in the latest available version. - We **do** accept security vulnerability reports affecting `2.17.x`, and we will publish a security advisory if needed. However, as noted above, we will not release new patches for the `2.17.x` line. - [**Community support**](https://logging.apache.org/support.html#discussions-user) remains **available** on a best-effort basis. We even occasionally answer questions about Log4j 1.x — if someone remembers how it worked! - For guaranteed support with SLAs, some companies offer [**commercial support**](https://logging.apache.org/support.html#commercial) for Log4j. GitHub link: https://github.com/apache/logging-log4j2/discussions/3679#discussioncomment-13212261 This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
Re: [D] log4j version 2.17.1 [logging-log4j2]
GitHub user ppkarwasz edited a comment on the discussion: log4j version 2.17.1 > Could you please confirm if Log4j version 2.17.1 is supported? Whether we "support" Log4j version `2.17.0` depends on how you define "support," so let’s break it down: - We **no longer** maintain the `2.17.x` minor version. Only the latest release within the `2.x` series receives updates — including security fixes. If a vulnerability is discovered, you'll need to upgrade to the latest `2.x` version or patch `2.17.x` yourself. - We do **not** accept bug reports for `2.17.x`. All issues must be reproducible in the latest available version. - We **do** accept security vulnerability reports affecting `2.17.x`, and we will publish a security advisory if needed. However, as noted above, we will not release new patches for the `2.17.x` line. - [**Community support**](https://logging.apache.org/support.html#discussions-user) remains **available** on a best-effort basis. We even occasionally answer questions about Log4j 1.x — if someone remembers how it worked! :stuck_out_tongue_closed_eyes: - For guaranteed support with SLAs, some companies offer [**commercial support**](https://logging.apache.org/support.html#commercial) for Log4j. GitHub link: https://github.com/apache/logging-log4j2/discussions/3679#discussioncomment-13212261 This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
Re: [D] log4j version 2.17.1 [logging-log4j2]
GitHub user ppkarwasz added a comment to the discussion: log4j version 2.17.1 That’s an excellent answer — thank you! Just to add for completeness: version 2.17.0 was never affected by CVE-2021-44832. This was confirmed in a later review (see apache/logging-site#6). GitHub link: https://github.com/apache/logging-log4j2/discussions/3679#discussioncomment-13212117 This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
Re: [D] log4j version 2.17.1 [logging-log4j2]
GitHub user perry2of5 added a comment to the discussion: log4j version 2.17.1 Please refer to the security page: https://logging.apache.org/security.html Also, mvnrepository.com provides links to most security vulnerabilities from affected artifacts. For example, on log4j-core, it doesn't show any vulnerabilities on versions after 2.17.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core GitHub link: https://github.com/apache/logging-log4j2/discussions/3679#discussioncomment-13211970 This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
